There is a lot of scuttlebutt surrounding the marking of CUI.
If you are a SUB, your PRIME is responsible for identifying CUI and providing instructions on how to mark the documents.
NOTE: Do not assume everything is CUI – remember, you must be at CMMC Leve 3 or NIST 800-53 to hold and manage CUI.
For general instructions on CUI, see https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf
The National Archives and Records Administration manages an online searchable repository of CUI data at https://www.archives.gov/cui .
Use the service to help determine the classification of data and to inform your policies and conversations – reach out to your prime or agency of record for specifics regarding your project.
An SPRS Score is a numerical representation of your NIST 800-171/53 compliance maturity level. This score is used to determine your eligibility to receive awards from the DOD.
Supplier Performance Risk System
The Supplier Performance Risk System documents vendor self assessment results for DOD Acquisition Professionals. This system is ONLY used by DOD personnel – not primes or subs.
You get an SPRS score from conducting a self assessment of your NIST 800-171/53 adoption/compliance.
An SPRS score is calculated based upon your “adoption” and “maturity of” adoption of specific NIST controls. You will use a pre-formatted spreadsheet to conduct your analysis and arrive at a score.
Roll your own from the documentation OR contact us and we will send you one.
A current CAGE Code
An InfoSec professional familiar with the process will save you time and be able to identify systems/services that may improve your score. You may not need much help, but laser focused assistance can save you a lot of time and money.
FCI is information provided by or generated for the Government under contract not intended for public release. (FARS)
Federal Acquisition Regulation Clause 52.204-21
Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Defense Federal Acquisition Regulation Supplement DFARS Clause 252.204-7012
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.